When you're migrating on-premises mailboxes to Office365, there are a lot of factors that can impact overall mailbox migration speed and performance. This post will help you investigate and correct the possible causes by using the AnalyzeMoveRequestStats.ps1 script to analyze the performance of a batch of move requests to identify reasons for slower performance.

The AnalyzeMoveRequestStats script provides important performance statistics from a given set of move request statistics. It also generates two files - one for the failure list, and one for individual move statistics.

Step 1: Download the script and import using the following syntax

> . .\AnalyzeMoveRequestStats.ps1

Step 2: Select the move requests that you want to analyze

In this example, we’re retrieving all currently executing requests that are not in a queued state.

> $moves = Get-MoveRequest | ?{$_.Status -ne 'queued'}

Step 3: Get the move reports for each of the move requests you want to analyze

Note: This make take a few minutes, especially if you’re analyzing a large number of moves

> $stats = $moves | Get-MoveRequestStatistics –IncludeReport

Step 4: Run the ProcessStats function to generate the statistics

> ProcessStats -stats $stats -name ProcessedStats1

The output should look similar to the following:

StartTime:    2/18/2014 19:57
EndTime:    3/3/2014 17:15
MigrationDuration:    12 day(s) 19:10:55
MailboxCount:    50
TotalGBTransferred:    2.42
PercentComplete:    95
MaxPerMoveTransferRateGBPerHour:    1.11
MinPerMoveTransferRateGBPerHour:    0.43
AvgPerMoveTransferRateGBPerHour:    0.66
MoveEfficiencyPercent:    86.36
AverageSourceLatency:    123.55
AverageDestinationLatency:   
IdleDuration:    1.16%
SourceSideDuration:    78.93%
DestinationSideDuration:    19.30%
WordBreakingDuration:    9.63%
TransientFailureDurations:    0.00%
OverallStallDurations:    4.55%
ContentIndexingStalls:    1.23%
HighAvailabilityStalls:    0.00%
TargetCPUStalls:    3.32%
SourceCPUStalls:    0.00%
MailboxLockedStall:    0.00%
ProxyUnknownStall:    0.00%

How to read the results

The first step in understanding the results are to understand the definitions of the report items:

Next, you need to identify which side of the migration components is slower by looking at the SourceSideDuration and DestinationSideDuration values.

Note: The SourceSideDuration value + DestinationSideDuration value is usually, but not always, equal to 100%.

If you see that the SourceSideDuration value is greater than the normal range of 60-80%, this means the source side is the bottleneck. If the DestinationSideDuration value is greater than the normal 20-40%, this means the destination side of the migration is the bottleneck

Causes of source side slowness in onboarding scenarios

There are several possible reasons the source side of the migration in an onboarding scenario may be causing slower than normal performance.

High transient failures

Most common reason for transient failures is the connectivity issue to the on-premises MRSProxy web service on your Mailbox servers. Check the TransientFailureDurations and MailboxLockedStall values in the output and also check the failure log generated by this script to verify any failures. The source mailbox may also get locked when a transient failure occurs and this will lower migration performance.

Misconfigured network load balancers

Another common reason for connectivity issues are misconfigured load balancers. If you're load balancing your servers, the load balancer needs to be configured so that all calls for a migration specific request is directed to the same server hosting the MRSProxy service instances.

Some load balancers use the ExchangeCookie to associate all the migration requests to the same Mailbox server where the MRSProxy service is hosted.

If your load balancers are not configured correctly, migration calls may be directed to the “wrong” MRSProxy service instance and will fail. This causes the source mailbox to be locked for some time and lowers migration performance.

High network latency

The Office 365 MRSProxy service makes periodic dummy web service calls to the on-premises MRSProxy service and collects statistics from these calls. The AverageSourceLatency value represents the average duration of these calls. If you see high values for this parameter (greater than 100ms), it can be caused by:

Network latency between the Office 365 and on-premises MRSProxy services is high

In this case, you can try to reduce the network latency by

1. Migrate mailboxes from servers closer to Office 365 datacenters. This is usually not feasible, but can be preferred if the migration project is time critical.
2. Delete empty mailbox folders or consolidate mailbox folders. High network latency affects the move rate more if there are too many folders.
3. Increase the export buffer size. This reduces the number of migration calls, especially for larger mailboxes and reduces the time spent in network latency. You can increase the export buffer size by modifying the ExportBufferSizeOverrideKB parameter in the MSExchangeMailboxReplication.exe.config file

Example: ExportBufferSizeOverrideKB="7500"

Important: You need to have Exchange 2013 SP1 installed on your Client Access server to increase the export buffer size. This will also disable cross forest downgrade moves between Exchange 2013 and Exchange 2010 servers.

Source servers are too busy and not very responsive to the web service calls

In this care you can try to release some of the system resources (CPU, Memory, Disk IO etc.) on the Mailbox and Client Access servers.

Scale issues

The resource consumption on the on-premises Mailbox or Client Access servers may be high if you're not load balancing the migration requests or you're running other services on the same servers. You can try distributing the source mailboxes to multiple Mailbox servers and moving mailboxes to different databases located on separate physical hard drives.

Causes of destination side slowness in onboarding scenarios

There are several possible reasons the destination side of the migration in an onboarding scenario may be causing slower than normal performance. Since the destination side of the migration is Office 365, there are limited options for you to try to resolve bottlenecks. The best solution is to remove the migration requests and re-insert them so that migration requests are assigned to less busy Office 365 servers.

Office 365 system resources: This is likely due to insufficient system resources in Office 365. Office 365 destination servers may be too busy with handling other requests associated with normal support of services for your organization.

Stalls due to word breaking: Any mailbox content that is migrated to Office365 is separated into individual words so that it can be indexed later on. This is performed by the Office 365 search service and coordinated by the MRS service. Check the WordBreakingDuration values to see how much time is spent in this process. If it's more than 15%, it usually indicates that the content indexing service running on the Office 365 target server is busy.

Stall due to Content Indexing: Content indexing service on the Office 365 servers is too busy.

Stall due to High Availability: High availability service that is responsible to copy the data to multiple Office 365 servers is too busy.

Stall due to CPU: The Office 365 server's CPU consumption is too high.

Karahan Celikel and the Migration Team

Microsoft Point of Service (POS) for .NET v1.14 is now available, and with it comes a set of .NET class libraries that makes it possible to write .NET applications for the retail and hospitality industry.

POS for .NET v1.14 allows sales associates in training to try using chip and pin peripherals (those magnetic readers you see at store checkout counters) without impacting actual transactions. POS for .NET also provides more symbols for POS printers and barcode scanners; and provides fiscal printer data in several different formats, which makes it easier to review daily transactions.

POS for .NET also adds POS objects for retail peripherals — such as smartcards, motion sensors and fiscal printers — to support a larger set of peripherals, so developers can spend less time writing code to create these objects and more time building and delivering memorable experiences.

Head over to the Windows Embedded blog to find out more about POS for .NET v1.14.

You might also be interested in:

• Don’t fly blind, measure your apps from the inside
• Microsoft Payment Solutions offers flexible payment structures for businesses looking to move to the cloud
• EuroShop shows off Microsoft Dynamics and Windows Embedded retail displays

Athima Chansanchai
Microsoft News Center Staff

Teams from around the world will compete Sunday in the first ever eSports Call of Duty World Championship on Xbox One.

Major Nelson reports that you can watch Sunday’s competition on Xbox Live or Xbox.com beginning at 3 p.m. PST. You can also catch opening round action Friday and Saturday on MLG.tv.

The best 32 teams representing more than 17 countries will qualify to be in the running to share the tournament’s $1 million prize.

Stay tuned to Xbox Wire for more information and edge-of-your-seat updates.

You might also be interested in:

· Blink photo app updated with new look, better video stabilization and sharing to OneDrive
· MLB.com At Bat updated with breaking news push notifications, pitch-by-pitch tracking
· Get to know Microsoft's Galactic Viceroy of research excellence

Aimee Riordan
Microsoft News Center Staff

Open data has the power to help cities achieve their goals. How? By making public information resources accessible to everyone no matter what device they use, open data helps cities empower residents to make better decisions about safety, education and productivity.

To turn that goal into reality, city leaders and other government chief information officers can use consistent formats and systems to organize raw data.

For instance, cities can provide mass transit schedules in the General Transit Feed Specification (GTFS) format, which gives Bing Maps users the arrival time of the next bus, train or other mass transit service. This could translate to more people using mass transit and less urban congestion.

For more information about open data standards and more examples of how cities, businesses and other organizations can work together to provide information to the public, head over to the Microsoft in Government blog.

You might also be interested in:

• #MSFTCOSO POV: A year of progress as Microsoft’s chief online safety officer
• Find out how Microsoft and open source ecosystems working together add value
• Microsoft’s goal: Bring Big Data insights to a billion people

Athima Chansanchai
Microsoft News Center Staff

Summary:  Learn how to use Windows PowerShell to quickly check to see if a computer is up.

 How can I use Windows PowerShell to see if a computer is up?

 Use the Test-Connection cmdlet to send a ping (icmp packet) to the remote computer.
          If you specify the –Quiet parameter, it returns only True or False.

Test-Connection -BufferSize 32 -Count 1 -ComputerName 192.168.0.41 -Quiet

Microsoft hat heute den Sicherheitshinweis 2953095 veröffentlicht. Er behandelt eine vertraulich gemeldete Schwachstelle in allen derzeit unterstützten Versionen von Microsoft Word (Word 2003 bis Word 2013), inklusive der Versionen Word 2013 RT und auch der Mac-Version. Microsoft sind derzeit vereinzelte, gezielte Attacken auf Anwender von Word 2010 bekannt, die diese Schwachstelle missbrauchen.

Um sofortigen Schutz vor Angriffen zu bieten, stellt Microsoft ein Fix it bereit. Das Fix it verhindert, dass RTF-Dateien in Word geöffnet werden können. Die Schwachstelle findet sich im Programmcode von Word, der zur Anzeige von Rich-Text-Format (RTF)-Dokumenten zuständig ist. Bis ein vollwertiges Security Bulletin die Lücke ganz schließt, empfehlen wir allen Nutzern von Word, vorerst die Installation des Fix it.

Die Schwachstelle lässt sich auch missbrauchen, wenn ein Anwender bösartig modifizierten RTF-Inhalt in Outlook öffnet. Daher empfehlen wir, vorerst alle E-Mails nur als reinen Text anzeigen zu lassen. Die für Outlook 2013 notwendigen Schritte beispielsweise sind in einem Hilfedokument beschrieben, die Schritte für Outlook 2003 und 2007 in einem Knowledge-Base-Eintrag.

Auch der Einsatz von Microsoft EMET (Enhanced Mitigation Toolkit) erschwert den Missbrauch der Schwachstelle. Details zur Konfiguration von EMET finden sich im Sicherheitshinweis.

Microsoft will be at the Gartner Business Intelligence and Analytics summit being held in Las Vegas from March 30^th– April 2^nd as a premier sponsor. We’re looking forward to sharing our vision of how we’re making big data real through the familiar tools you already use – SharePoint, Excel and SQL Server – as well as new ones such as Power BI for Office 365 and Windows Azure HDInsight.

Over the last few years, we’ve all had to deal with an explosion in data types and the velocity at which we need to react to that data. In this world of big data, Microsoft has refined our data toolkit – adding performance and scaling capabilities on commodity hardware in SQL Server 2014, as well as the ability to store, process and analyze large volumes of data through Windows Azure HDInsight, our 100% compatible implementation of Apache Hadoop.

Just as we’ve added capabilities to our data platform, we’ve continued to focus on making it as easy as possible to get rich insights from your stored data – whether it’s in SQL Server, Windows Azure HDInsight or a 3^rd party data provider such as a LOB system. We’ve built powerful visualizations right into Excel with Power View and have added geospatial mapping capabilities through Power Map. It’s also now possible to query your data with natural language through Q&A in Power BI.

Our focus at Gartner will be on showcasing how all of these innovations are coming together to enable all of your users to find, analyze and use the information they need quickly and easily.

We’d love to speak to you if you’ll be there. Stop by our booth; attend our session on April 2^nd from 10:45 AM – 11:45 AM; or schedule an individual meeting with Microsoft through the Gartner concierge. We’re also co-hosting a learning lab on the show floor with our partner SAP where you can learn about how Power BI connects to SAP BusinessObjects BI Universes, both through small group sessions and hands-on demonstrations.

We hope to see you. If you haven’t yet registered, you may use code BISP7 to get a $300 discount on registration.

For those who want access to the upcoming SQL Server 2014 release as soon as possible, please sign-up to be notified once the release is available.  Also, please join us on April 15 for the Accelerate Your Insights event to learn about our data platform strategy and how more customers are gaining significant value with SQL Server 2014.  There also will be additional launch events worldwide so check with your local Microsoft representatives or your local PASS chapter for more information on SQL Server readiness opportunities.

Today, Microsoft released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010.

This blog will discuss mitigations and temporary defensive strategies that will help customers to protect themselves while we are working on a security update. This blog also provides some preliminary details of the exploit code observed in the wild.

Mitigations and Workaround

The in the wild exploit takes advantage of an unspecified RTF parsing vulnerability combined with an ASLR bypass, which depends by a module loaded at predictable memory address.

First, our tests showed that EMET default configuration can block the exploits seen in the wild. In this case, EMET’s mitigations such as “Mandatory ASLR” and anti-ROP features effectively stop the exploit. You can find more information about EMET at http://www.microsoft.com/emet. The exploit code seems to target Word 2010 and it deeply relies on the specific ASLR bypass mentioned. We were glad to see in our tests that this exploit fails (resulting in a crash) on machines running Word 2013, due to the ASLR enforcement introduced for this product.

In addition to EMET mitigations, users may consider to apply stronger protections by blocking the root cause of the issue with one of the following suggested workarounds:

• disable opening of RTF files;

• enforce Word to open RTF files always in Protected View in Trust Center settings.

To facilitate deployment of the first workaround, we are providing a Fix it automated tool. The Fix it uses Office’s file block feature and adds few registry keys to prevent opening of RTF files in all Word versions. After the Fix it is installed, opening RTF file will result in the following message:

If blocking RTF files is not an option, enterprise could enforce “Open selected file types in Protected View” instead of “Do not open selected file types” in Trust Center settings. The “Protected View” mode in Office 2010/2013 does not allow ActiveX controls to load. This will mitigate the attack we observed. Once the workaround is enabled, Word will prompt the Protected View gold bar, but will still allow the preview of the document.

Enterprise admins may also consider to make their own custom protection using Trust Center features of Office instead of the Fix it, since these settings can be managed and deployed through GPO. For more details, please refer to: http://office.microsoft.com/en-us/word-help/what-is-file-block-HA010355927.aspx#_File_Block_settings.

Theoretical Outlook attack vector

There is a theoretical Outlook attack vector for RTF vulnerabilities through the preview pane. The reduced functionality of the preview pane makes this attack vector extremely hard to carry, and to date we have never seen exploits leveraging this mechanism.

Technical details of the exploit

The attack detected in the wild is limited and very targeted in nature. The malicious document is designed to trigger a memory corruption vulnerability in the RTF parsing code. The attacker embedded a secondary component in order to bypass ASLR, and leveraged return-oriented-programming techniques using native RTF encoding schemes to craft ROP gadgets. The structure of the malicious document and the individual blocks is described in the picture below.

When the memory corruption vulnerability is triggered, the exploit gains initial code execution and in order to bypass DEP and ASLR, it tries to execute the ROP chain that allocates a large chunk of executable memory and transfers the control to the first piece of the shellcode (egghunter). This code then searches for the main shellcode placed at the end of the RTF document to execute it.

One peculiar aspect of the main shellcode is the fact that it employs multiple consecutive layers of decryption and well-known anti-debugging tricks, such as test of debugging flags an, RDTSC timing checks and jump-hops over hooks, possibly to defeat automated sandbox, analysis tools and researchers. The shellcode has also been programmed with a special date-based deactivation logic. In fact, it parses the content of “C:\Windows\SoftwareDistribution\ReportingEvents.log” file and it scans all the available Microsoft updates installed on the machine. The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014. This means that even after a successful exploitation with reliable code execution, after this date the shellcode may decide to not drop the secondary backdoor payload and simply abort the execution. When the activation logic detects the correct condition to trigger, the exploit drops in the temporary folder a backdoor file named ‘svchost.exe’ and runs it. The dropped backdoor is a generic malware written in Visual Basic 6 which communicates over HTTPS and relies on execution of multiple windows scripts via WScript.Shell and it can install/run additional MSI components.

Detection and indicators for defenders

We are providing a good list of IOCs (Indicator of Compromise) hoping to facilitate defensive efforts and to help security vendors and professionals to stay protected from this specific attack. The remote C&C server used by the current backdoor in the file uses encrypted SSL traffic with a static self-signed certificate that can be easily detected.

- Chengyun Chu and Elia Florio, MSRC Engineering

Often when we meet with customers around our cloud services, we review lots of information.  It might be high level conversations right down to the technical nuts and bolts.  What we always find though is customers looking for fairly consistent types of information to do their own research and comparison of Microsoft's technology compared to other providers.  Security, Planning, Training are just a few of the topics that seem to be listed as follow-up items form most every discussion.. When I have an Office 365 conversation with a customer I always like to provide follow-up information I have cultivated from Microsoft and public sources that address these and other topics.. To that end I created a Follow-up check list and information list to leave customers once my sessions are done.  You can preview it below in the Word Online Viewer or find it at http://1drv.ms/1kYmoU9.  Office 365 and online services continue to evolve and as such, we will keep this document updated to always include the most useful information for State and Local Government customers looking at Office 365.   

Microsoft was praised for its commitment to carbon neutrality and internal carbon fee in a report published recently by the U.S. Chamber of Commerce Foundation Corporate Citizenship Center.

The company’s internal carbon fee is a mechanism used to achieve net-zero emissions for its data centers, offices, software development labs and employee air travel. The Microsoft Green blog notes the news is particularly timely given World Water Day was March 22.

Head to the Green Blog for more details as well as updates on Microsoft’s efforts around carbon neutrality and reducing its environmental footprint.

You might also be interested in:

· Microsoft shows green energy momentum with investment in Keechi Wind Farm
· Microsoft continues going green with investments in 15 carbon offset projects across the globe
· Get to know Microsoft's Galactic Viceroy of research excellence

Aimee Riordan
Microsoft News Center Staff

My name is Ram Malkani and I am a Support Escalation Engineer on Microsoft’s Windows Core team. I am writing to discuss how Failover Clustering is integrated with Active Directory on Windows Servers.

Windows Server Failover Clustering, has always had a very strong and cohesive attachment with the Active Directory. We made considerable changes to how Failover Clustering integrates with AD DS, as we made progression to new versions of Clusters running on Windows Servers. Let us see the story so far:

What’s new with Clustering in Windows Server 2012 R2

We have introduced, a new mode to create a Failover Cluster on Windows Server 2012 R2, known as Active Directory detached Cluster. Using this mode, you would not only no longer need to pre-stage these objects but also stop worrying about the management and maintenance of these objects. Cluster Administrators would no longer need to be wary about accidental deletions of the CNO or the Virtual Computer Objects (VCOs). The CNOs and VCOs are now instead created in Domain Name System (DNS).

This feature provides greater flexibility when creating a Failover Cluster and enables you to choose to install Clusters with or without AD integration. It also improves the overall resiliency of cluster by reducing the dependencies on CNO and VCOs, thereby reducing the points of failure on the cluster.

The intra-cluster communication would continue to use Kerberos for authentication, however, the authentication of the CNO would be done using NT LM authentication. Thus, you need to remember that for all Cluster roles that need Kerberos Authentication use of AD-detached cluster is not recommended.

Installing Active Directory detached Cluster

First, you should make sure that the nodes, running Windows Server 2012 R2 that you are intending to add to the cluster are part of the same domain, and proceed to install the Failover-Cluster feature on them. This is very similar to conventional Cluster installs running on Windows Servers. To install the feature, you can use the Server Manager to complete the installation.

Server Manager can be used to install the Failover Clustering feature:

Introducing Server Manager in Windows Server 2012
http://blogs.technet.com/b/askcore/archive/2012/11/04/introducing-server-manager-in-windows-server-2012.aspx

We can alternatively use PowerShell (Admin) to install the Failover Clustering feature on the nodes.

Install-WindowsFeature -Name Failover-Clustering -IncludeManagementTools

An important point to note is that PowerShell Cmdlet ‘Add-WindowsFeature’ is being replaced by ‘Install-WindowsFeature’ in Windows Server 2012 R2. PowerShell does not install the management tools for the feature requested unless you specify  ‘-IncludeManagementTools’ as part of your command. 

BONUS READ:
The Cluster Command line tool (CLUSTER.EXE) has been deprecated; but, if you still want to install it, it is available under:
Remote Server Administration Tools --> Feature Administration Tools --> Failover Clustering Tools --> Failover Cluster Command Interface in the Server Manager

The PowerShell (Admin) equivalent to install it:

Install-WindowsFeature -Name RSAT-Clustering-CmdInterface

Now that we have Failover Clustering feature installed on our nodes. Ensure that all connected hardware to the nodes passes the Cluster Validation tests. Let us now go on to create our cluster. You cannot create an AD detached clustering from Cluster Administrator and the only way to create the AD-Detached Cluster is by using PowerShell.

New-Cluster MyCluster -Node My2012R2-N1,My2012R2-N2 -StaticAddress 192.168.1.15 -NoStorage -AdministrativeAccessPoint DNS

NOTE:
In my example above, I am using static IP Addresses, so one would need to be specified.  If you are using DHCP for addresses, the switch “-StaticAddress 192.168.1.15” would be excluded from the command.

Once we have executed the command, we would have a new cluster created with the name “MyCluster” with two nodes “My2012R2-N1” and “My2012R2-N2”. When you look Active Directory, there will not be a computer object created for the Cluster “MyCluster”; however, you would see the record as the Access Point in DNS.

For details on cluster roles that are not recommended or unsupported for AD detached Clusters, please read:

Deploy an Active Directory-Detached Cluster
http://technet.microsoft.com/en-us/library/dn265970.aspx

That’s it! Thank you for your time.

Ram Malkani
Support Escalation Engineer
Windows Core Team

Who are you, where are you, and what do you do? What are your specialty technologies?

Hi! I live in İzmir.  I believe that İzmir is one of the most beautiful cities in Turkey.

it has  many places to see which smells history. To mention about myself;

I have been working in IT section  for 3 years. I want to improve myself on Active Directory ve Exchange Server. I was graduated from European University of Lefke. I have attended System Management in BilgeAdam in İzmir. I have been system manager on Microsoft platforms for 2 years. At the same time I have  Windows Server 2012 Mcp and Mcsa certificates.

My position in the firm; To ensure the full completion of the infrastructure, networking, security and  installation of active devices as well as the servers regarding all the  systems under the body of whole groups of the company by participating within the each phases of the process. As well as to manage  more than 30 server operating systems, Active Directory, domain structures, WSUS, Exchange mail servers. Maintenance of servers, backups, failure detection and removal. Making Virtualization features (hyperV2 and vmware)  and new additions to the system. Dispersion of more than 1500 clientin IP dispersion in the university and college campuses, management of Exchange (2010 and 2007) mail servers, to intervene in failure and ensure it to work 24/7. Additionally I provide the backups and the security of the whole system.I provide automatic backup and  adjustment of process by making Windows server (2003,2008,2008 r2, 2012 & R2) installation necessary optimization at the customer side.

What are your hobbies? What do you do in your free time?

I spend most of my free time by reading books. My family is especial for me and I enjoy going somewhere with them. I love watching movies and my favorite films are ‘’The Series of Godfather’’  and ‘’The Lake House’’.

And;  indispensable of my life is Sports….

I like painting and there is a case study below;

What are your big projects right now? 

I took part in virtualization projects with e-Solutions company about 2 months ago. In this project,  We have completed the process of approximately 40 physical servers to virtual with VMware Converter Standalone transportation and the Active Directory Migration and Exchange Server Migration. I  actually took part in Veeam Backup & Replication 's establishment in a VM and all VMs on cluster for the backup on the NAS; raising of  Exchange Server 2007 to Exchange Server 2010 SP3; transport of all physical servers to virtual and creation of ADCs.  For the moment I do not have a specific Project.

Besides your work on TechNet Wiki, where do you contribute?

I have been writing in www.hasandimdik.com  that I set up by myself. At the same time I have been writing in www.ituzmanlari.com and www.mshowto.org  . Also I have sharings in Microsoft Curah

http://curah.microsoft.com/curator/55009

What is it about TechNet Wiki that interests you?

In general; I am interested in Active  Directory and Exchange articles.

On what Wiki articles do you spend most of your time?

I read Active Directory and Exchange articles gladly, I also  follow the other articles for general information.

Who has impressed you in the Wiki community, and why?

For me, all our friends are so precious and experts in their fields but if I should say the names; Uğur Demir in Exchange field, Yavuz Taşçı and Davut Eren in Active Directory field who impressed me by their quality articles.

Thank you

Contoso Labs Series - Table of Contents

Now that Cisco has been chosen as the vendor for our network, we need to identify the layers of our network fabric, and the devices to be used in those roles.

We'll have a 3-level network topology when done. Some devices will act as leaf node top-of-rack switches. More capable devices will be core+edge routers. Finally, we'll need an aggregator level to connect the two, and isolate storage traffic from the core. We'll detail the network configuration and the traffic shaping considerations that went into it at a later time. For now, let's just identify the devices we're using, and why they suit our needs.

Leaf Switches

For leaf top-of-rack switches, we'll be using the Cisco Nexus 3048. This device has good port density, (48x1GbE RJ-45 ports, 4x10GbE SFP+ ports) and supports all of the important functions needed, like OMI and port-channels. Given our node count, we’ll end up needing 32 of these total, so their relative affordability is another asset to us. A simple, solid choice for our purposes.

Spine Switches

The spine aggregator switches will be Cisco Nexus 3064-X devices. These are much more capable 10GbE switches, of which we’ll need 8.  Each has 48 SFP+ 10GbE ports, as well as four QSFP+ 40GbE ports.  Extremely low latency and line-speed switching combined with Layer-3 routing allows us to create a very high speed spine/aggregator layer for our racks.  This is critical in our overall architecture because we’re using a converged fabric design, where our Ethernet fabric has to carry all of our combined I/O.  Isolating storage traffic off of the core will keep performance acceptable for everyone, and we need a high speed intermediate layer to pull that off.

Edge Router

The edge of our network will be served by two Cisco Nexus 6001 devices. While from the outside these would appear almost identical to the 3064-X’s, the network capabilities provided by the 6001 are much greater.  Larger lookup and routing tables, and more sophisticated controls are available that make it better suited to sit at the center of a network that will be hosting 300+ physical nodes and thousands of virtual machines operating on NVGRE virtual networks.

That covers our purchasing of net new equipment for this project.  Combined with our existing assets, we have everything we need to design and deploy our private cloud.  Starting on Wednesday, we’ll start describing how we integrated these components, and what our deployment is going to look like.

As more and more customers move to Office 365 and leverage the power of Windows Azure there is a growing need to understand identity management and how to properly link multiple online services to a single Azure AD instance. As a bit of a background, Windows Azure AD is the primary directory that provides access to all online services including Office 365, Azure, Windows Intune and Microsoft Dynamics. By default when you sign up for an online service such as Office 365 an Azure AD "bucket" is created to service that tenant. The Azure AD can then be populated in multiple ways:

• Manual creation using Cloud Identities
• Bulk creation by uploading CSV files
• Directory Synchronization

For most enterprises the final option above is the optimal solution because it allows for organizations to manage a single on-premises Active Directory identity for each user. Those identities are then synchronized via the Directory Synchronization server to the Azure AD.

As I mentioned earlier in this post you can think of the Azure Active Directory as the primary source for all Microsoft Online services. The goal would be to have a single Azure AD instance that services all of your various online product groups. In this optimal environment the Directory Synchronization till would be installed on-premises to sync Active Directory objects to the Azure AD, then that single instance in Azure would service all of the various online services as depicted below.

However, if the various services aren't linked together properly you can end up with a scenario where multiple Azure AD instances are created resulting in multiple directories to manage that are not linked.

There are many issues with the scenario depicted above. First thing to note is that the Directory Synchronization tool can only have one instance on-premises so there is no way in the example above to install DirSync to provision the Azure AD instance supporting Office 365 and then have a second DirSync server serving a separate Azure AD supporting Azure. This is why it is critical for customers to understand how to link Microsoft Online services so a single instance of Azure AD can be used to service multiple online services. This streamlines the management process and allows you to manage all user identities from their local Active Directory and have all changes synchronize to the single Azure AD instance that services all Microsoft online services.

There are generally two scenarios for customers, the first is for customers who start with Office 365 and wants to add Azure. For this process a colleague of mine has posted step-by-step instructions on how to link the new Azure instance to the Existing Office 365, Adding an Azure subscription to your Office 365 account. The second is for customers who start with Azure and want to add Office 365. For this process you can follow the blog posting, Creating and managing multiple windows Azure Active Directories.

Now that we understand how to link different Microsoft cloud offerings we can dive into how to synchronize your on-premises Active Directory environment to the Azure Active Directory.

Syncing Active Directory with Windows Azure Active Directory

The Directory Synchronization tool is a free tool provided by Microsoft that allows the one-way sync from on-premises to the Azure AD. Prior to deploying the tool it is highly recommended that the local Active Directory be reviewed and prepared for Directory Synchronization, for more information see the blog post Plan for Directory Synchronization for Office 365. Most environments have old user objects or accounts with non-valid characters. An example I see in the field quite a bit is administrative accounts starting with a non-standard character such as '#'. This makes sense on-premises in certain cases where customers want to isolate out administrative accounts, however from a Cloud perspective the '#' is seen as a coding variable and therefor noted as an invalid character for Directory Synchronization. The best rule of thumb is a clean Active Directory leads to a happy cloud.

The rest of this blog assumes you have gone through the AD remediation and prep phase. Now that this has been completed we are going to deploy the Directory Sync tool provided in Office 365. Remember now that you have linked your Office 365 and Azure tenants when you synchronize your AD to Office 365 the users will also be available in Azure.

Before deploying the tool let's take a look at the Office 365 tenant. When logging into the portal you'll notice there is a significant amount of information including the service overview with information about overall service health, status of service requests, lists of inactive users and a drill down snapshot of each platforms current health with detailed information if issues exist. There is also a Quick Link section to the right with common admin shortcuts such as password resets, adding users, and assigning licenses to users and downloading software.

The first step in identity provisioning with Directory Synchronization is enabling the service in the portal. This is identical to the way it was done previously. First select Users and Groups from the left hand menu, then click Set Up next to Active Directory synchronization.

From the next page click Activate under step 3 to enable Directory Synchronization in the tenant:

If you prefer PowerShell you can enable Directory Synchronization using the following CmdLets:

Import-Module MSOnline
$cred=Get-Credential
Connect-MSOLservice -Credential $cred
Set-MsolDirSyncEnabled -EnableDirSync $True

To check and see if DirSync has been enabled run the following CmdLet:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

Remember it may take time for Directory Synchronization to be fully enabled so check back until the value changes to True. Once this is done we are ready to deploy Directory Synchronization.

Prior to installing the Directory Sync tool you need to install .NET 3.5 which can be installed as a Feature. To install it open Server Manager and click Add roles and Features

On the first page select Role-Based or Feature-based installation and click Next:

On the next page select the server you want to install the Feature and click Next:

On the Roles page you can simply click Next without clicking any Roles. On the Select Features page, check the box for .NET Framework 3.5 features and click Next:

Click Install on the final confirmation page to finish the installation:

Once you have your .NET Framework installed it is time to download the tool.

• First log into the portal at http://portal.microsoftonline.com
• Click Users and Groups from the menu on the left
• Select Set-Up next to the Active Directory Synchronization link at the top of the page
• Scroll down to step four and click download
• Once you have the file downloaded go to the folder, right click the file and select Run as Administrator
• During the installation select all of the defaults

On the final page check the box Start Configuration Wizard Now and click Finish:

At the first screen enter your global admin credentials and click Next. Generally speaking you want to create a service account in Office 365 for this purpose and set its password to never expire, but for the purposes of the demo I am just going to use my account.

On the next page enter the credentials of an Enterprise Admin account. Now, this account is different than the previous account. It doesn't actually get stored in the tool. The Configuration Wizard uses the Enterprise Admin credentials to create the directory synchronization service account, MSOL_AD_Sync. The Configuration Wizard creates the service account as a domain account with directory replication permissions on your local Active Directory, with a randomly generated complex password that never expires.

On the next screen check the box* to Enable Exchange Hybrid Mode and click Next. Finally, you can choose to sync the directories immediately:

*this is assuming you plan on using Exchange Hybrid as part of your Office 365 migration. Enabling this option enables the Directory Synchronization tool to write-back certain attributes from Office 365 to Active Directory. This allows additional support for features like cloud archives for on-premises mailboxes, off-board mailboxes from the cloud to on-premises Exchange servers and have on-premises filtering software take advantage of user made safe and blocked senders in the cloud.

Below is a table of the attributes that are added to write-back when hybrid mode is enabled:

The final screen will ask if you want to enable Password Synchronization, this is a relatively new feature that hashes the local AD password and puts a copy of that password into Azure AD. This provides 'same sign on' functionality which should not be confused to single-sign on which is a feature of Active Directory Federated Services (AD FS). For more information on Password Sync and ADFS check out these links:

Password Sync

AD FS

Assuming you chose to sync your directories immediately you can verify the process by doing one of two things. You can look in the event viewer for application level messages or you can open up the MIISClient. The MIISClient is located in the following path:

C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell

Once there, double click MIISClient to run the app. When you first launch it you will see the status and can drill into the details of each step of the sync:

Conclusion

The most important thing for you to take away from this post is the process of planning and deploying a properly designed identity management solution for your Microsoft investment is critical to the success of your business. Without proper design considerations around how to link your various cloud offerings and how to properly deploy and configure the Directory Synchronization tool your identity management solution may become unmanageable. The takeaways from this post are:

• Planning how to connect multiple Microsoft cloud services is key to manageability
• Proper deployment and configuration of the Directory Synchronization tool allow for single-source management across offerings

 Por Tim Rains - Microsoft

Ha sido bien publicitado que el 8 de abril de 2014 Microsoft descontinuará el soporte al producto para Windows XP.  Liberada en 2001, la política de soporte para la vida de Windows XP pronto continuó en octubre 2002.  En septiembre de 2007, anunciamos que el soporte para Windows XP se extendería dos años adicionales al 8 de abril de 2014.  Tenemos muy claro el ciclo de vida de nuestros productos (lifecycle of our products), comunicando deliberadamente esta información con años de antelación, ya que sabemos que los clientes necesitan tiempo para planificar los cambios a sus inversiones tecnológicas y administrar las actualizaciones a los nuevos sistemas y servicios.

También nos hemos centrado en la comunicación de forma regular, como un artículo article publicado en agosto del año pasado.  Ese artículo se centró en el hecho de que las versiones soportadas reciben las actualizaciones de seguridad que se ocupan de las vulnerabilidades recientemente descubiertas, y que Windows XP no recibirá después del 8 de abril de 2014.  Esto significa que ejecutar Windows XP cuando el producto sea obsoleto (después de que termine el soporte), aumentará el riesgo de que la tecnología se vea afectada por los delincuentes cibernéticos que intentan hacer daño.  Esta entrada de blog continuará a partir de ese artículo, y también proporciona una orientación a considerar para el futuro.

Muchos de los clientes empresariales con los que he hablado recientemente han terminado, o están en el proceso de terminar proyectos de tecnología que mueven sus entornos de computación de escritorio de Windows XP a Windows 7 o Windows 8.  Sin embargo, también he hablado con algunas pequeñas empresas y personas que no planean reemplazar sus sistemas Windows XP, incluso después de que termine el soporte para estos sistemas en abril.  En vista de ello, quiero compartir algunas de las amenazas específicas a los sistemas basados en Windows XP que los atacantes pueden intentar después de que termine el soporte, para que estos clientes puedan entender los riesgos y, con suerte, decidan actualizar inmediatamente a una versión más segura de Windows, o acelerar los planes existentes para hacerlo.

Las amenazas cibernéticas expuestas en el presente se basan en los datos y puntos de vista de los volúmenes recientes del informe de Inteligencia de la seguridad de Microsoft  (Microsoft Security Intelligence Report).  Este informe incluye datos agregados sobre las amenazas que enfrentan los cientos de millones de sistemas alrededor del mundo, muchos de los cuales son bloqueados con éxito a través del software antivirus de Microsoft y las características de seguridad integradas en Windows, Internet Explorer, Bing, y otros productos y servicios de Microsoft. Estos datos nos dan una buena idea de las tácticas que los atacantes han estado utilizando para intentar poner en riesgo los sistemas de cómputo, incluyendo cuáles ataques se utilizan con mayor frecuencia en los sistemas Windows XP.  La información posteriormente ayuda a Microsoft y a las empresas de seguridad antivirus a desarrollar maneras para combatir esos ataques.  A partir del año en que se construyó Windows XP, los ataques cibernéticos han aumentado en sofisticación.  Los sistemas que reciben actualizaciones regulares obtienen las protecciones que necesitan con base en las amenazas cibernéticas más recientes.  Sin embargo, en algún momento, un modelo más antiguo de cualquier producto carecerá de la capacidad de mantenerse actualizado, y se volverá anticuado.  La obsolescencia para Windows XP está a la vuelta de la esquina.

¿Qué motiva a los atacantes cibernéticos?
Las motivaciones de los atacantes han cambiado en la última década.  Hace diez años, los atacantes estaban motivados principalmente por hacer un nombre por sí mismos a través de la notoriedad por cada acto malicioso que completaron.  Hoy en día, los atacantes suelen robar información personal e información de negocios de los sistemas que persiguen e intentan mantener un perfil más bajo, ya que por lo general, el objetivo es la ganancia financiera más que la interrupción maliciosa o el ego.  Los atacantes que roban información de los sistemas de computación a veces optan por comerciar o vender esa información robada a otros delincuentes para utilizarla para robo de identidades y esquemas de fraude bancario.  Además, el acceso a los sistemas de computación en peligro a menudo es vendido o arrendado por los atacantes a otros delincuentes para cometer más delitos contra víctimas inocentes adicionales, mientras proporciona el anonimato de los delincuentes originales.

Las innovaciones de seguridad de Microsoft han dificultado aún más a los atacantes cibernéticos tener éxito
Después del lanzamiento de Windows XP y hasta 2004, hubo varios ataques cibernéticos que ganaron consciencia generalizada en los medios de noticias y con muchos clientes. A raíz de esos ataques de virus informáticos, Microsoft invirtió más en varias protecciones importantes de seguridad y transformó las mejoras existentes (llamadas “mitigaciones” por los expertos en seguridad) para brindar una mejor protección a los clientes que ejecutaban Windows XP.  Este impulso de protección dio lugar a una importante actualización llamada Windows XP Service Pack 2, que se liberó en 2004.  Una de las mitigaciones de seguridad que se integró a Service Pack 2 fue una característica llamada Windows Firewall. Esto ayudó a detener muchos de los ataques que eran comunes en ese momento, y dificultó mucho más a los atacantes violar los sistemas Windows XP.  Nuestro informe de inteligencia de seguridad muestra que el tiempo entre ataques importantes se extendió en longitud después de que se liberó Windows XP Service Pack 2, lo que demostró que Service Pack 2 proporcionó más protección que las versiones anteriores de Windows XP.

Los sospechosos usuales– Amenazas que se pueden esperar contra Windows XP
Los tipos de ataques en los que esperamos centrar los sistemas Windows XP después del 8 de abril de 2014 probablemente reflejarán las motivaciones de los atacantes de hoy en día.  Los delincuentes cibernéticos trabajarán para tomar ventaja de las empresas y las personas que ejecutan el software que ya no tiene actualizaciones disponibles para reparar problemas.  Con el tiempo, los atacantes van a evolucionar su software malicioso, sus sitios web maliciosos, y ataques de phishing para aprovechar las nuevas vulnerabilidades recién descubiertas en Windows XP, que se publicarán el 8 de abril, y que ya no serán resueltas.

He aquí una lista de los riesgos que pueden enfrentar los sistemas basados en Windows XP con el paso del tiempo, junto con orientación para ayudar a las pequeñas empresas y a los consumidores individuales a protegerse temporalmente  contra los ataques cibernéticos mientras se mueven a un sistema operativo moderno:

Entonces, ¿qué debe hacer?
La orientación anterior proporciona sugerencias para manejar algunos de los riesgos de ejecutar Windows XP después del 8 de abril.  Sin embargo, el objetivo primario de nuestro consejo es claro: la mejor opción es migrar a un sistema operativo moderno como Windows 7 o Windows 8 que tiene una década de mitigaciones de seguridad evolucionadas desarrolladas y que contará con soporte después del 8 de abril de 2014. 

Consejo de actualización
Para los clientes que están considerando actualizar un dispositivo diseñado para ejecutar Windows XP, nosotros recomendamos comprar hardware moderno, desde laptops hasta tabletas y todo-en-uno habilitados para touch, para aprovechar al máximo las características y la interfaz basada en touch disponible en los sistemas Windows 8 o posteriores.  Los dispositivos modernos no sólo son rápidos y tienen un mayor rendimiento que los dispositivos que ejecutan sistemas operativos anteriores, sino que además incluyen mejores características de seguridad, herramientas de red nuevas y mejoradas para cuando esté en el camino, aplicaciones modernas y más.

Si un cliente quiere actualizar una máquina existente a Windows 8.1, las actividades de actualización dependen del sistema operativo actual en la máquina, y de las capacidades de ese hardware.  Los requisitos del sistema para instalar un sistema operativo nuevo se pueden encontrar aquí (here).

• Los PCs que ejecutan Windows 8 se pueden actualizar a Windows 8.1 a través de Windows Store (para los consumidores) o mediante medios (para las organizaciones más grandes con licenciamiento por volumen).

• Los PCs que ejecutan Windows 7 se pueden actualizar a Windows 8 mediante medios, y después actualizarlos a Windows 8.1 (mediante el proceso anterior).

• Los PCs que ejecutan Windows XP no se pueden actualizar a Windows 7, Windows 8, o Windows 8.1. Se requiere una instalación limpia, aunque se pueden migrar los datos del usuario. 

Para los clientes que no están seguros de cuál versión de Windows utilizan, visite AmIRunningXP.com, un sitio web diseñado para mostrar automáticamente si un PC se está ejecutando en Windows XP o en una versión más reciente de Windows como Windows 7, Windows 8 o Windows 8.1.  Si detecta Windows XP, el sitio web proporciona orientación sobre cómo actualizar antes de la fecha límite de soporte que es el 8 de abril.

Información adicional sobre el fin del soporte para Windows XP y cómo actualizar, se puede encontrar aquí (here).

Tim Rains
Director
Trustworthy Computing Group